Multiply your money in a few clicks: a flaw discovered on Osmosis DEX

Hackers make a new victim – Osmosis is a blockchain from the Cosmos ecosystem developed by Osmosis Labs. In practice, this hosts Osmosis DEX, one of the main decentralized exchange platforms of Cosmos. This was recently undermined following a breach resulting in the loss of 5 million dollars.

Osmosis DEX flaw: double your money in a few clicks

On June 8, the user Straight-Hat3855 from the /r/cosmosnetwork subreddit alerted the community to a curious issue affecting the Osmosis decentralized exchange. Indeed, he discovered that a bug affected liquidity pools.

“Go put $5 in Pool 1. Add liquidity, then take liquidity out. Now you have $15. »

A surprising message, which puzzled many Internet users, convinced that it could not be true. Obviously, many of them still went to verify by experience the claims of Straight-Hat3855.

To their surprise, his assertions were well founded. After this discovery, many users began to repeat the operation in order to easily multiply their funds.

Indeed, unlike most DeFi bugs requiring flash loans, or an advanced understanding of smart contracts, this one could be exploited by anyone.

This is notably the case of the address osmo1hq which repeated the maneuver dozens of times. At each iteration, the latter was able to recover 50% additional funds on the amount initially deposited.

Example of two transactions of adding and then withdrawing liquidity, with a gain of 50%.
Example of two transactions of adding and then withdrawing liquidity, with a gain of 50%.

>> Play it safe, register on the reference of FTX crypto exchanges (affiliate link) <<

5 million stolen: Osmosis forced to pause the channel

Obviously, many users have performed the same technique as osmo1hq. Therefore, more than $5 million were siphoned from the Osmosis DEX liquidity pools.

Shortly after the events, the Osmosis teams communicated via Twitter, announcing the presence of the flaw. Moreover, they decided to pause the Osmosis channelthe time to correct the fault so as not to increase the balance sheet of losses.

“Hello Osmosis friends. Since block #4713064, the Osmosis channel has been shut down for emergency maintenance. At this time, the DEX and Osmosis Wallet are inoperable until repairs are completed. »

After investigation, the teams said that the bug was relatively simple, namely a miscalculation of LP shares when adding and removing liquidity. It’s hard to know how such a trivial bug could pass the code testing stages.

Regarding losses, Osmosis announced that “all losses would be covered”. To do this, they are counting on the recovery of part of the stolen funds. The missing funds will be charged to the cash fund dedicated to developers.

A validator takes part in the attack

While the case seemed under control, a new twist occurred. A few hours after the events, the company FireStakewhich offers a validator service for the Osmosis network and many other networks in the Cosmos ecosystem, has made a surprising announcement to say the least.

Thus, FireStake has declared also have took advantage of the bug discovered on Osmosis DEX. In total, this would be responsible for the siphoning of $2 million.

“In disbelief that the flaw existed, two members of FireStake began testing to see if the bug existed. The test turned into a temporary error in judgment. In the process, we managed to convert 226 USD to ~2M$. We were thinking about the future of our family, not our community.”

Taken by remorse, the FireStake teams decided to make their wrongdoing public and announced that they had contacted the Osmosis teams to return the stolen funds.

A delusional situation, in which a validator, supposed to secure the network, in which users trust by delegating their funds, manages to exploit a loophole and be the source of nearly half of the stolen funds.

On Ethereum, a white hat managed to steal 70,000 ETH after discovering a loophole to put them in a safe place. In exchange for bailing out more than $120 million, he got a juicy $6 million reward.

Stay away from spammers and scammers of all kinds, avoid offers that are too good to be true like the plague, and get into the habit of showing healthy suspicion. On the other hand, also learn to place reasonable trust in respectable and recognized players in the ecosystem. The FTX platform falls without a shadow of a doubt into this second category. Come acquire and trade your first bitcoins and other cryptocurrencies by registering on FTX. You will benefit from a lifetime discount on your transaction fees (affiliate link).

Leave a Comment